The eval() Epidemic in MCP Servers: Three CVEs, One Root Cause

In February 2026, three separate MCP server vulnerabilities were published to NVD. All three allow unauthenticated remote code execution. All three share the same root cause: developers treating user input as executable code. This isn't a coincidence. It's a pattern. And it's going to get worse. Three CVEs, One Month CVE-2026-0755 — gemini-mcp-tool CVSS: Critical. The execAsync method constructs OS commands from user-supplied strings without sanitizing shell metacharacters. An attacker sends a specially crafted request. The server executes arbitrary shell commands with service account privileges. No authentication required. CVE-2026-1977 — mcp-vegalite-server A visualization MCP server that renders Vega-Lite charts. The visualize_data component passes the vegalite_specification argument directly into Python's eval() . An attacker crafts a malicious specification. The server runs arbitrary Python code. Maintainers were notified through GitHub but haven't responded as of this writing. CV